[midPoint] Import User Task failure

Florin. Stingaciu fstingaciu at mirantis.com
Thu Oct 20 06:25:58 CEST 2016 

I managed to find the problematic user in AD after enabling TRACE logs in
ShadowCache. It turns out the user has a special char
(CN=İrem_LASTNAME,OU=People). I'm assuming this is causing midPoint to fail
processing this user and return a schema error.

I tried to ignore this user in my condition section, however I believe the
shadow is processed before the resource condition is checked and the task
fails with the error in my initial post. Are there any workarounds in which
this scenario is considered a Partial Failure so this task can continue
executing? This user is one of 50000.

A possible solution would involve raising a different error if an invalid
char (according to midPoint) was to be found on the resource. One that can
be caught in ShadowCache.java (
https://github.com/Evolveum/midpoint/blob/master/provisioning/provisioning-impl/src/main/java/com/evolveum/midpoint/provisioning/impl/ShadowCache.java#L875)
and returned as a "Object failed to processed" rather than a Schema Error.
I'm open to any suggestions.

Thanks,
-F

On Wed, Oct 19, 2016 at 1:14 PM, Florin. Stingaciu <fstingaciu at mirantis.com>
wrote:

> Also, this only happens with a Import Users task and not with Reconcile
> Users Task. The reconcile users task finishes successfully..
>
> On Wed, Oct 19, 2016 at 12:56 PM, Florin. Stingaciu <
> fstingaciu at mirantis.com> wrote:
>
>> Hello,
>>
>> My import users task fails with the following error:
>> http://pastebin.com/L0bKs9U2
>>
>> I tried increasing the log level, however the logs previous to this
>> pertain to the previous user that was successfully imported. The resource
>> is an active directory entry.
>>
>> My condition section looks as follows:
>>
>>                         dn = basic.getAttributeValues(shadow, "dn")[0]
>>                         if (dn == "someDN"){
>>                             return false
>>                         }
>>                         else if (dn == "someotherDN"){
>>                             return false
>>                         }
>>                         else if (dn.contains("a sub OU domain")){
>>                             return false
>>                         }
>> return (basic.getAttributeValues(shadow, "mail") != null)
>>
>>
>> I've tried removing the condition and that didn't help. Any ideas on what
>> could be the problem?
>>
>> Realistically, no entry in AD can have an empty DN. Could it maybe be a
>> bad shadow somewhere, missing the dn?
>>
>> Thanks,
>> -F
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161019/ed9e7f71/attachment.htm>

More information about the midPoint mailing list